Netscreen 20 cisco asa vpn routed mode



  • Hello,
    I am using a Juniper-Netscreen20 to connect to a CISCO asa with a VPN tunnel.
    I am using a routed mode VPN on my Netscreen and I am trying to connect to the cofiguration below
    My Tunnel interface is setup as 10.2.300.224 255.255.255.224. When I try to connect to the remote cisco gateway
    I pass pahse 1 and right after phase 2 I get the following message
    <...>Received notification message for DOI <1><18> <invalid -id-notification="">, that message makes me think
    that my proxy ID values are not matching. as you know I only have one place to enter the remote network address on the Juniper

    How could I match the remote Proxy ID information with the infor below?

    I see 192.168.3.XX and 172.16.2.XX

    Acls for interesting traffic;
    access-list client-vpn-2-us permit tcp host 192.168.3.54 10.2.300.224 255.255.255.224 eq 1433
    access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 1433
    access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 1433
    access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 1433
    access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 1433
    access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 139
    access-list client-vpn-2-us permit tcp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 445
    access-list client-vpn-2-us permit udp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit udp host 192.168.3.56 10.2.300.224 255.255.255.224 eq 138
    access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 139
    access-list client-vpn-2-us permit tcp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 445
    access-list client-vpn-2-us permit udp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit udp host 192.168.3.57 10.2.300.224 255.255.255.224 eq 138
    access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 139
    access-list client-vpn-2-us permit tcp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 445
    access-list client-vpn-2-us permit udp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit udp host 192.168.3.93 10.2.300.224 255.255.255.224 eq 138
    access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 139
    access-list client-vpn-2-us permit tcp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 445
    access-list client-vpn-2-us permit udp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit udp host 192.168.3.175 10.2.300.224 255.255.255.224 eq 138
    access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 139
    access-list client-vpn-2-us permit tcp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 445
    access-list client-vpn-2-us permit udp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 137
    access-list client-vpn-2-us permit udp host 172.16.2.165 10.2.300.224 255.255.255.224 eq 138
    Crypto map etc
    crypto ipsec transform-set client-strong esp-3des esp-sha-hmac
    crypto map client-vpn 5 match address Client-vpn-2-US
    crypto map client-vpn 5 set peer 28.9.111.129
    crypto map client-vpn 5 set transform-set Client-strong
    crypto map client-vpn interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800</invalid>



  • Here is the problem. When you specify multiple ACL rules permitting particular IP hosts/subnets and different services, the Cisco will create individual security associations (SAs) for each of them. So to match this on the SSG side you must also create individual SAs for each source/dest ip/port specified. You cannot aggregate this onto one SA on the SSG side while the Cisco is expecting different SAs for each. This is why proxy-IDs are not matching. The SSG is expecting a single proxy-ID whereas the Cisco is sending multiple different ones.

    You have two ways to make this work.
    1. Eliminate all the different ACL entries on the Cisco and try to encompass as many as possible into a much smaller number of SAs.

    or

    2. On the SSG, create policy-based VPNs for each and every Cisco ACL derived SA.

    I should also mention option 3, replace the Cisco box with another Juniper box and then you can use route-based VPN with regular security policies on both sides.


 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts